NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Trusted Vendors List supports new option "Block signers not present in Trusted Vendors".
     
    Last edited: Jan 31, 2021
  2. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    I know you will never be able to add every vendor as Trusted but what about Bitsum (Process Lasso), Sophus, Blackfog, Sinew Software Systems (Enpass), CybertronSoft (Privacy Eraser), WiseVector and Brightfort (SpywareBlaster)?

    I am sure there are many, many more and I do appreciate you can't add everyone but that is the challenge with that feature. The Scan System option would largely work around that issue though.
     
  3. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    I have added a couple of trusted vendors to my list. I have used the OSA scan option, but this doesn't necessarily help to detect the portable apps you trust. I have added approx. ten vendors to my list of trusted vendors (Nir Sofer, Nenad Hrg etc.) - works like a charm.:)
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Okay that makes sense. Thanks!
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Exactly.

    Also Trusted Publisher is certificate based. Certs. can be stolen, misappropriated (hack the certificate chain), you name it. Personally, I am surprised to see this feature being added to OSA. It has been pretty much abandoned by most security solutions except for initial reputation vetting status.
     
  6. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    @bjm_ explains it succinctly in post 3426. And fwiw, I never suggested signed vendors should take precedence over enabled Protections. I was simply curious as to how it works, and bjm_ explained it.
     
  7. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    After setting password in NVT OSArmor I tried uninstalling it
    and no password protection prompt box appeared. I'm assuming
    this is by design.

    Also again tested - play custom sound when notification is displayed
    and WAV file sounds, but when replaced with another short sound WAV
    file there is no sound.

    Tested OSArmor versions:
    1.4.3
    1.5.3

    NOTE: In version OSArmor 1.5.3 the WAV file sound is distorted/crackly
    when notification is displayed. (loon.wav)
    I kept a copy of the loon.wav file from version 1.4.3.
    I deleted WAV file from 1.5.3 and installed loon.wav file from version
    1.4.3 and it now sounds clear.
     
    Last edited: Jan 31, 2021
  8. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Hmmm, Compu KTed, it seems that one has to go all the way back to 1.4.3 for the sake of a complete and clear-sounding WAV? Now this is your custom WAV, not the default loon, right? Well, no going back for me, I'd like to persuade the dev to lengthen the WAV duration from 3 sec to something like 6 sec or best--9 sec. because not all of us use or want to use repositories with prefab sounds. 9 sec on here is the length of time for the popup notification box to appear and then disappear.

    I have WAVs that are snippets of actual music tracks and they're modified specifically to use with OSA. It's a shame to waste them and my primary WAV is not amenable to further shortening. It would sound ridiculous. :(

    I appreciate the confirmation. I have a 9 second WAV and it doesn't play at all. I mean, it should at least play 3 seconds' worth before abruptly cutting off or am I mistaken?
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Good test!

    Latest malware rage is just uninstall security software to bypass it. Appears OSA has an uninstaller in its Program File directory. Run that in silent mode and OSA bypassed.

    Also a surprising number of password protected AVs can be uninstalled the same way.
     
  10. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Maybe the Self Defense protection would interfere if malware attempts to uninstall? In fact there are probably a number of Protections, if enabled, that might interfere with malware tampering? Ofc there could be something more advanced that might bypass any of the protections. Obviously I don't know for sure, just speculating.

    Code:
    Process: [4336]C:\Program Files\NoVirusThanks\OSArmorDevSvc\unins000.exe
    
    Parent: [12228]C:\Windows\System32\cmd.exe
    Rule: EnableOSArmorSelfDefense
    Rule Name: Enable OSArmor self defense (basic)
    Command Line: "C:\Program Files\NoVirusThanks\OSArmorDevSvc\unins000.exe"
     
  11. guest

    guest Guest

    Did you even try it?

    Note:
     
  12. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    No other custom wav file I've tried has worked in OSArmor 1.4.3 +
    EXCEPT the default loon wav. That includes testing wav files less
    than 3 seconds in duration.
    Only assuming that it won't play at all. Dev would know.
    I know that I couldn't use my own short duration custom WAV file in OSArmor 1.5.4
    (no sound played)
     
  13. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    As mentioned already it does say it also prevents silent uninstallation via /VERYSILENT
    and /SILENT (unins000.exe). OSArmor 1.4 pre-release
    and that they'll add better self defense via kernel-mode driver in the next version.

    In uninstalling OSArmor (unins000.exe) I get popup window asking me
    are you sure you want to completely remove NVT OSArmor & all of its components.
    Also if I want to delete all settings, log files, & .DB files.
     
  14. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Sounds good, thanks for considering. :thumb:
     
  15. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    This may be a dumb question ...
    but I have two laptops with slightly different softs but am considering having a single backup .db of exclusions i.e. probably 90%+ of the rules are the same.
    I don't suppose there is a relatively simple way of merging / combining the contents of the two Exclusions.db's, that I could export / import between the two machines?

    Probably a mad hatter idea, more sensible to just keep two separate backups ...
     
  16. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,296
    Location:
    Europe
    One has to simply check which process starts uninstalling when u go to control panel add or remove programs, and use that. Right now, OSA armor has protection against some parent processes launching the unins.exe, but what about the control panel process that windows uses? Obviously, this would work for all programs. Except some are made unable to be uninstalled until u turn off their tamper protection. But OSA doesnt seem to have this
     
  17. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    As someone already mentioned, it seems this option has priority over Exclusions. I tested this idea with the PrivacyEraser executable, which was not on my Trusted Vendors list. If I then added the PE exe to Exclusions, OSArmor still blocked it.
     
  18. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Here is a new video where I test new OSArmor protection features with a few signed malware samples:
    https://www.youtube.com/watch?v=XUStga9CX1A

    As you can see, thanks to the rule "Block signers not present in Trusted Vendors" the recent malware samples signed with a valid certificate are blocked.

    Personally I find this feature definitely useful since you can control what are your Trusted Vendors and block the rest.

    Stealing a certificate is not that easy anymore (thanks to USB tokens / eSafeNet, etc) so should be very rare nowadays and hopefully in future even harder.

    Blocking of revoked and invalid certificates are also other very useful options to block threats as can be seen in the video.

    We'll add a button "Reset Trusted Vendors" to the defaults to restore original vendors list.

    @paulderdash

    We don't limit the WAV in eighter size or duration, I'll run some tests to see why it fails.

    Can you send me via email or PM a link to download your WAV file?

    Also, we didn't change the code related to playing the WAV.

    @Floyd 57 @itman

    We completely disabled /VERYSILENT and /SILENT uninstallation of OSA, it can only be uninstalled via Control Panel or Windows 10 Add or Remove Applications.

    Moreover, a malware would need Admin rights to fully uninstall OSA and once a malware gains Admin rights it could do anything in the system.

    OSA is totally focused on prevention, thus stopping the malware deliverability at first stages.

    @Krusty @bjm_

    Will add these other signers to Trusted Vendors, thanks for sharing them.
     
    Last edited: Feb 1, 2021
  19. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,296
    Location:
    Europe
    Why dont u combine OSArmor and NVT exe radar pro in one? The way I see it now, they are both good by itself but cant really be a standalone solution. I mean radar pro can be but **** does it take ****** effort to setup everything. Its a pain having to constantly save new stuff and windows stuff etc. And ofc theres options to automatically allow system files and stuff like that, but that lowers the protection. So i think if u combine the two into one product, it will be perfect, there will be no need to run AN av alongside OSarmor.

    Also, radar pro is still 3.0, did this thing get abandoned? I remember back in 2019 there was v4 beta, 2 years later, still not out...
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    OSA self-protection blocked this:

    wmic product where name="OSArmorDevSvc" call uninstall
    running with admin privileges. As such, looks like its pretty well protected against being uninstalled.
     
  21. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    575
    A small correction: in the left screenshot, under "Digital Code Signature," the last two items should read "signed with an [expired/invalid] certificate" instead of "signed with a [expired/invalid] certificate."

    Keep up the good work! :thumb:
     
  22. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Here is a new pre-release (not final) version of OSArmor Personal 1.5.5 test3:
    https://downloads.osarmor.com/osa-1.5.5-test3.exe

    Mainly added button to reset Trusted Vendors to default, fixed a small issue when an unsigned process was blocked due to "Block signers not present in Trusted Vendors", you can now exclude events blocked with the "Block signers not present in Trusted Vendors" rule, fixed typos in Configurator, other small improvements.

    @JEAM

    Thanks for reporting it, fixed now.

    @Floyd 57

    Thanks for the suggestions. As of now we are focused on OSArmor so this is our priority (among other things that will be revealed soon). Regarding merging of OSA and ERP, that is not an easy task and it needs to be discussed very accurately, our current plan is to keep OSA as simple as possible and only focused on its job (prevent malware infections), without user interventions/alerts like in ERP. This may change in future but is not an imminent possibility. ERP is in a sort of pause for now - as always for any updates I'll make sure to update the ERP thread.
     
  23. enemyofarsenic

    enemyofarsenic Registered Member

    Joined:
    Jun 18, 2011
    Posts:
    85
    Is OSArmor getting a web filter in the future?
     
  24. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Before updating to Test 3 I didn't have the Trusted Vendor setting enabled. I just got this trying to install Privacy Eraser free version update.
    Date/Time: 2/02/2021 8:39:35 AM
    Process: [6368]C:\Users\David\Downloads\privacy-eraser-setup.exe
    Process MD5 Hash: 2CAF9C11EE24C707432739946082F31A
    Parent: [5812]C:\Program Files\Mozilla Firefox\firefox.exe
    Rule: BlockSignersNotPresentInTrustedVendors
    Rule Name: Block signers not present in Trusted Vendors
    Command Line: "C:\Users\David\Downloads\privacy-eraser-setup.exe"
    Signer: Shenzhen Saiboen Software Technology Co., Ltd.
    Parent Signer: Mozilla Corporation
    User/Domain: David/DAVID-HP
    System File: False
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Are you stating Trusted Vendor option disabled and you were blocked by it?

    If enabled, I assume you will have to add:
    to Trusted Publisher list. Something I wouldn't do.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.